Advice re: fixing SMTP SSL Certificate Error

I am one of those holdouts still using Eudora 7.1.0.9 as an e-mail client, in my case under Windows 7 Ultimate.  Yes, I know it is an unsupported legacy application but, like many others, have used it a long time because I like a number of things about its functionality and especially don’t want to deal with switching to something else like Outlook unless and until Eudora no longer works at all.  (I’ve also read that Eudora OSE and Thunderbird are not fully equivalent and also no longer supported either.)

Over the past few years, where Eudora was working just fine for a long period of time, I’ve had several problems sending mail which I’ve been able to fix, including an outgoing port number and a patch to the Eudora.ini file, both related to changes made by my current ISP (Verizon).  However, I recently encountered a new issue involving an untrusted SMTP SSL certificate and, once again, I’ve found what appears to be a solution but this time I am less certain whether it is safe to proceed with the fix.  

The error issued when sending mail says:  

The server’s SSL certificate was rejected for the following reason:
Certficate Error:  Unknown and unprovided root certificate.
Do you want to trust the certificate in future sessions?

This is followed by a display of the certificate and Yes / No buttons for accepting the certificate.

I have spoken with Verizon tech support and they tell me that no changes have been made to their SMTP server that should cause such a problem and that it is a client-side issue.

Through further digging, I found the Certificate Information Manager in Eudora through which this new certificate can be installed.  So far, I have not actually gone ahead with this because of some concerns I have about whether this is totally safe to do.

For one thing, I note that the validity of the certificate is from 2000 through 2025, so clearly it has not expired.  So, I’m wondering why the certificate would suddenly be rejected by Eudora.

One additional possible important detail is that I continue to maintain an email address with an old ISP (other than Verizon) I had in the past for a small monthly fee and receive mail directly through that ISP’s POP server.  To send e-mail, I use the personality functionality of Eudora to generate messages using the domain name of my old ISP through the Verizon SMTP server.  This had been working fine for a long time until this latest problem with the certificate.  I’ve doubted whether this methodology has anything to do with this latest problem but include it here just in case.

What, other than the validity date, would cause a certificate to no longer be valid?  Is there any risk in trusting this certificate as described above?  Otherwise, is there a better way to fix this problem?

Thanks very much for the assistance.
ConmariAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

DaveCommented:
You don't post enough information about the certificate,  but, many certificate providers have been updating their root certificates with longer keys. They typically have long validity periods as they are going to be used to sign (and resign when renewing) other certificates so they need to be valid for as long as you need.

The reasons for not trusting a certificate are :-

1. The certificate has expired.
2. The name used to connect to the certificate does not match any "subject" names in  the certificate
3. The certificate has a key that is no longer considered secure
4. You don't trust the issuer
5. The certificate has been revoked.
6. The certificate has been tampered with and the signature check fails.

It looks like in this case the issuer certificate has expired and you don't trust the replacement. As trusted roots are distributed with the software that's plausible.  To fix this you add the issuing certificate to the list of trusted issuers. You will then trust every certificate issued by this trusted cert. If the cert you are installing is for an issuer you trust then its probably OK...
0
ConmariAuthor Commented:
Dave,

Thanks for the reply.  Note that security is an area I know precious little about.  

Below is the rest of the error message generated by Eudora.  Note that the issuer refers to Baltimore Cyber Trust Root.  I was about to ask how I would know how this is related to Verizon but discovered on Wikipedia that Verizon acquired CyberTrust in 2007.

 

This gives me more confidence about the issuer.

You mentioned that the issuer certificate has expired but doesn't the Validity section shown in the error say otherwise?

Any further insight/advice based on this additional information?  Thank you again.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 33554617 (0x20000b9)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
        Validity
            Not Before: May 12 18:46:00 2000 GMT
            Not After : May 12 23:59:00 2025 GMT
        Subject: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:a3:04:bb:22:ab:98:3d:57:e8:26:72:9a:b5:79:
                    d4:29:e2:e1:e8:95:80:b1:b0:e3:5b:8e:2b:29:9a:
                    64:df:a1:5d:ed:b0:09:05:6d:db:28:2e:ce:62:a2:
                    62:fe:b4:88:da:12:eb:38:eb:21:9d:c0:41:2b:01:
                    52:7b:88:77:d3:1c:8f:c7:ba:b9:88:b5:6a:09:e7:
                    73:e8:11:40:a7:d1:cc:ca:62:8d:2d:e5:8f:0b:a6:
                    50:d2:a8:50:c3:28:ea:f5:ab:25:87:8a:9a:96:1c:
                    a9:67:b8:3f:0c:d5:f7:f9:52:13:2f:c2:1b:d5:70:
                    70:f0:8f:c0:12:ca:06:cb:9a:e1:d9:ca:33:7a:77:
                    d6:f8:ec:b9:f1:68:44:42:48:13:d2:c0:c2:a4:ae:
                    5e:60:fe:b6:a6:05:fc:b4:dd:07:59:02:d4:59:18:
                    98:63:f5:a5:63:e0:90:0c:7d:5d:b2:06:7a:f3:85:
                    ea:eb:d4:03:ae:5e:84:3e:5f:ff:15:ed:69:bc:f9:
                    39:36:72:75:cf:77:52:4d:f3:c9:90:2c:b9:3d:e5:
                    c9:23:53:3f:1f:24:98:21:5c:07:99:29:bd:c6:3a:
                    ec:e7:6e:86:3a:6b:97:74:63:33:bd:68:18:31:f0:
                    78:8d:76:bf:fc:9e:8e:5d:2a:86:a7:4d:90:dc:27:
                    1a:39
                Exponent: 65537 (0x10001)
0
ConmariAuthor Commented:
Oh, I meant to say that I wonder why Verizon tech support wouldn't have said something about updating the certificates.
0
How the Cloud Can Help You as an MSSP

Today, every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. Register today to learn more!

DaveCommented:
They wouldn't know about root updates, they are handled by the supplier, but it appears from the Verizon Forums this is not an unknown problem.

Most current software uses the Windows Trusted Root Certificate store which is updated as part of windows update. If you go into IE, , click the cog and choose "Internet Options", Content, Certificates and check in the Trusted Root, you probably have a matching cert, so you are probably already trusting it for many other things already. I certainly have one that looks the same. Eudora uses its own store so you have to update it manually.

If you do trust the cert you may still find problems as there may be missing intermediates.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ConmariAuthor Commented:
Dave,

Thanks.  I'll give this a try tomorrow and see if I can get it to work.
0
ConmariAuthor Commented:
Interestingly, after simply clicking Yes to trust the certificate in the Eudora error message, sending email worked without having to follow additional steps to install the cert through the Eudora Certificate Manager, as had been mentioned as necessary in a personal blog I had found elsewhere prior to my posting this question.

Something else I find puzzling is that when I view the certificate through the Eudora manager is lists one of its purposes as "Protects E-mail Messages".  However, when I view the cert through IE, as you described, "Secure E-mail" is not checked under the Advance button.  This dialog refers only to listing each of the possible choices under "Advanced Purposes".  Should this box be checked and what is the result?
0
DaveCommented:
OK lets look at the simple stuff.

The "protect e-mail" use is for S/Mime signed or encrypted messages so I don't believe it needs to be set, but setting it should not cause any harm.

You are not using it for this purpose, you are using it to encrypt a network connection, so as a TLS or Transport Level Security which is different.

Also be aware there are multiple fields in the X.509 certificate that describe key usage ( I think these are "basic", "extended" and "advanced" so make sure you are comparing like with like. Assuming I have the same certificate in IE I see "Secure Email" set in one but not the other two...

My advice is not to try changing these, if its working.
0
ConmariAuthor Commented:
Sorry, I don't follow your mention of "basic", "extended" and "advanced".  

Or "Secure Email" set in one but not the other two...  

Before I leave this question, I'd like to know what you are referring to.

Thanks.
0
DaveCommented:
Go to the "certificates" box in IE and single click on the certificate you see a list of certificate extended purposes. Click on the advanced button and you see a second list which you can change.  Click the view button to open the certificate and go to the "details" tab. Scroll down the fields and note there is a "Key Usage" field, and further down there is an "enhanced key usage" field. See the RFC for details of these fields...

https://www.ietf.org/rfc/rfc2459.txt
0
ConmariAuthor Commented:
Dave,

OK, I follow that more or less.  As I said, this is way out of my area of expertise but good to know about at this level for possible future reference.  As you said, it is working and I'm happy to not fix it if it ain't broke provided there isn't something more esoteric that could lead to a security breach.

I didn't see anything on the Verizon forum dated in the last month or so corresponding to when my problem first presented itself (late February) so, just out of curiosity, perhaps I'll post something there to see if any one else had a similar problem.  I usually come to EE first because of the quick response and good advice I get.  And I was disappointed that Verizon Tech Support didn't seem to want to provide any further help when I contacted them directly.

Thanks much for your help.  I'll close this question now.
0
ConmariAuthor Commented:
Very helpful information.  Thank you.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Clients

From novice to tech pro — start learning today.